changeset 5402:fbf3ede7541b

mod_http_oauth2: More appropriate error conditions in client validation Specified in RFC7591 for these kinds of issues.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:22:17 +0200
parents c8d04ac200fc
children c574aaaa4d57
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 6 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:20:55 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:22:17 2023 +0200
@@ -755,12 +755,12 @@
 
 	local client_uri = url.parse(client_metadata.client_uri);
 	if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
-		return nil, oauth_error("invalid_request", "Missing, invalid or insecure client_uri");
+		return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri");
 	end
 
 	for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
 		if not redirect_uri_allowed(redirect_uri, client_uri, client_metadata.application_type) then
-			return nil, oauth_error("invalid_request", "Invalid, insecure or inappropriate redirect URI.");
+			return nil, oauth_error("invalid_redirect_uri", "Invalid, insecure or inappropriate redirect URI.");
 		end
 	end
 
@@ -768,10 +768,10 @@
 		if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then
 			local components = url.parse(client_metadata[field]);
 			if components.scheme ~= "https" then
-				return nil, oauth_error("invalid_request", "Insecure URI forbidden");
+				return nil, oauth_error("invalid_client_metadata", "Insecure URI forbidden");
 			end
 			if components.authority ~= client_uri.authority then
-				return nil, oauth_error("invalid_request", "Informative URIs must have the same hostname");
+				return nil, oauth_error("invalid_client_metadata", "Informative URIs must have the same hostname");
 			end
 		end
 	end
@@ -781,9 +781,9 @@
 		if k:find"_uri#" then
 			local uri = url.parse(v);
 			if not uri or uri.scheme ~= "https" then
-				return nil, oauth_error("invalid_request", "Missing, invalid or insecure "..k);
+				return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure "..k);
 			elseif uri.host ~= client_uri.host then
-				return nil, oauth_error("invalid_request", "All URIs must use the same hostname as client_uri");
+				return nil, oauth_error("invalid_client_metadata", "All URIs must use the same hostname as client_uri");
 			end
 		end
 	end